2022 Talks

Shining a light into Container Cluster visibility

Presented by Nathaniel Quist Principal Researcher - Unit 42|Prisma Cloud

Cloud Threat actor groups like TeamTNT, WatchDog, Kinsing and Nobelium (the group behind the SolarWinds Orion supply chain attack) have been witnessed directly targeting containerized applications. Moreover, the containerized applications these groups target are not the most vulnerable or heavily exposed container applications used in the wild. My research into the top 20 most exposed and vulnerable containerized applications revealed containerized applications ripe for misuse. Namely, several widely exposed databases and at least four containerized applications with 90+ historical vulnerabilities and WordPress with more than 1300 known vulnerabilities to date, is one of the most heavily used container applications. The research also revealed that security operation teams have limited visibility to detect and mitigate potential attacks targeting the K8s cluster hosting these applications. Yet, service mesh platforms can provide these capabilities by providing insight into what has been a relative black hole for security practitioners within microservice environments, and network traffic within the cluster.

Service mesh platforms, like Istio, Linkerd and Consul, are traditionally developer and administrator toolsets and have never really been considered a security tool. However, there is something vitally important within these tools that security teams should make note of, manipulation of micro-segmentation network traffic between containers. Developers have been using service mesh architectures to load balance, a fuzz for a while now. But these meshes also have amazing security benefits like mutual TLS, for all inner cluster network traffic, and they can even be used configured to work across hybrid cloud platforms, i.e. in both on-prem and cloud environments. This is a crucial step when monitoring traffic and sending this traffic to traditional security tools like WireShark or Suricata. Nearly all security network monitoring tools only see egress and ingress traffic from the cluster hosts, but with a service mesh extracting rule-based network traffic from inside the cluster, security teams can monitor security incidents inside the K8s cluster.

In this talk, we will shine a spotlight on the threats facing cloud microservice architectures and how service mesh platforms like Istio, Linkerd and Consul can enhance the visibility of security incidents within K8s clusters. This talk is geared toward cloud security architects who want to bring K8s cluster network traffic visibility to security operation teams. We will cover how service mesh architectures can work in tandem with security tools to track threat actors hiding in the cluster.

School of /proc: Kubernetes Security in the Post-PSP World

Presented by Alexander Wise Technical Account Manager - Verica

With the deprecation of the PodSecurityPolicy in Kubernetes, SIG Security has offered two potential replacements: the brand new Pod Security Admission and the Admission Control API. I will walk through what the PSP was, the security flaws that meant it had to go, and the two potential replacements, with a focus on adapting them to brownfield environments with existing (probably insecure) workloads.

Pain in the Appx

Presented by Jack Mott

Windows application package files (.APPX) are the installation system used to install Universal Windows Platform apps. Similar to other installer types, such as MSI files, APPX files are created to provide the simple distribution and installation of software . However, these have recently been abused by what we track as an emerging and financially motivated cybercriminal group distributing BazaarLoader/Emotet malware. In this presentation, we will show how we identified and tracked this activity, take a dive into malware analysis of the observed campaigns, discuss the infection chain, and explain how this led to the ms-appinstaller HTML protocol handler being removed. We will finish by exploring network and file based detection opportunities for defenders.

Grinding Phish Into Detections

Presented by Jason Williams Principal Security Researcher, TwinWave

Credential phishing seems like it has always been around, but it really exploded a number of years ago when exploit kits went away and ransomware and maldocs took over. Over the years since, security analysts have been writing detections and watching the landscape shift into what it is today: A big ol mess of javascript, abused services, redirections and varying levels of “sophistication”. This talk will not be a phishing 101 conversation, but rather demonstrate various aspects of detecting modern credential phish with popular open source tools such as yara, clamav, and suricata, with a healthy dose of regex.

Clean Forensics: Analyzing network traffic of vacuum bots

Presented by Karan Dwivedi Security Manager at Google

Have you ever wondered how vacuum bots work under the hood? How safe is your home’s floor plan that these bots automatically scan? This talk will walk you through a step-by-step procedure on how you can perform network forensics all from the comfort of your own home. For a particular set of bots, we uncovered and reported issues like plaintext transmission of passwords and a way to manipulate their cleaning schedules. The audience walks away with not only the awareness of security and privacy issues with vacuum bots but also a method to research on their own.

We would like to thank the following people: Best Boy => Still Wills Cat (234-55-2987) Lead Pew-Pew-er => Will Shand (345-26-7645)